WSO2 API Manager 2.6.

0
Fundamentals
Architecture
WSO2 Training
Components

WSO2 API Manager consists of an API gateway and collaboration space where API
publishers meet API consumers. The collaboration space consists of an API Store and
API Publisher.
- API Gateway: enables you to secure, protect, manage, and scale API calls.
- API Publisher: enables API providers to easily publish their APIs, share
documentation, provision API keys, and gather feedback on an API’s features,
quality and usage.
- API Store: provides a space for consumers to discover API functionality,
subscribe to APIs, evaluate them and interact with API publishers.
- Traffic Manager: The Traffic Manager helps users to regulate API traffic, make
APIs and applications available to consumers at different service levels, and
secure APIs against security attacks. The Traffic Manager features a dynamic
throttling engine to process throttling policies in real-time, including rate
limiting of API requests
- Analytics: Additionally, monitoring and analytics are provided by the analytics
component, WSO2 API Manager Analytics. This component provides a host
of statistical graphs, an alerting mechanism on pre-determined events and a
log analyzer. For more information
API Publisher

API Manager uses a simplified Web interface called WSO2 API Publisher for API
development, publication and management. It is a structured GUI designed for API
creators to develop, document, scale and version APIs, while also facilitating more
API management-related tasks such as publishing API, monetization, analyzing
statistics, quality and usage and promoting and encouraging potential consumers and
partners to adopt the API in their solutions.

Collaborative Web interface to

- Create APIs/API documentation
- Publish and advertise APIs
- Manage API lifecycle
- Receive community feedback
- Monetize usage
- Analyze statistics
Usage of API Publisher

The API Publisher can be used to:

- Publish APIs to external consumers and partners, as well as to internal users
- Ability to publish APIs to a selected set of gateways in a multi-gateway
environment
- Support enforcement of corporate policies for actions like subscriptions,
application creation, etc. via customizable workflows
- Manage API visibility and restrict access to specific partners or customers
- Manage API lifecycle from cradle to grave: create, publish, block, deprecate,
and retire
- Publish both production and sandbox keys for APIs to enable easy developer
testing
- Manage API versions and deployment status by version
- One-click deployment to API gateway for immediate publishing
API Publisher
● Develop APIs / API Changes
● Create API Docs

Develop

● Deploy APIs
● Monitor API Behavior ● Associate SLA
● Monitor API Consumers Monitor Publish
● Associate Security Requirements
● Gather Consumer Requirements ● Associate Rate Limits/Throttling

Manage

● API Lifecycle
● API Versions
● API Policies

Using the Publisher you can first develop the API and then publish it while managing
the lifecycle, versions and so on, and monitor how it is used.
API Store
● View top used, new featured APIs
● Search by name, tag or provider
● Save searches

Find

● Rate API ● View ratings, comments

● Share comments ● Download help and docs
● Feature requests Evaluate Explore ● Try it online
● Participate in forums ● Ask questions to owner

Subscribe

● Register applications
● Obtain key
● Subscribe to API
● Subscribe to API changes

Using the Publisher you can first develop the API and then publish it while managing
the lifecycle, versions and so on, and monitor how it is used.
API Store

API Manager provides a structured Web interface called the WSO2 API Store to host
published APIs. API consumers and partners can self-register to it on-demand to
find, explore and subscribe to APIs, evaluate available resources and collaboration
channels. The API store is where the interaction between potential API consumers
and API providers happen. Its simplified UI reduces time and effort taken when
evaluating enterprise-grade, secure, protected, authenticated API resources.

A collaborative Web interface to

- Self sign-up
- Subscribe to advertised APIs
- Get access token to invoke APIs
- Invoke APIs
- Engage with the API community (commenting/rating)
Usage of API Store

https://store.apicultur.com

● Graphical experience similar to popular applications stores. Try APIs directly

from the storefront
● Browse and search APIs by provider, tags, or name
● Self-registration for developer community to subscribe to APIs
● Subscribe to APIs (including key provisioning) and manage subscriptions on
per-application basis (at different service tiers)
● Common view of the store for users registered under same organization
● Developer interaction with APIs via forums, comments, and ratings
● View API consumer analytics
API Gateway

Security Collecting
Security Scaling API
Throttling Caching Statistical
Validations Calls
Policies Data

The API Gateway is a runtime, backend component developed using the WSO2 ESB,
which is proven for its performance capability. API Gateway secures, protects,
manages, and scales API calls. The API gateway is a simple API proxy that intercepts
API requests and applies policies such as throttling and security checks. It is also
instrumental in gathering API usage statistics. We use a set of handlers for security
validation and throttling purposes in the API Gateway. Upon validation, it passes
Web service calls to the actual back-end. If the service call is a token request call, API
Gateway passes it directly to the API Key Manager Server to handle it. By default,
there's a single Gateway instance (deployed either externally or embedded within the
Publisher), but you can also set up multiple Gateways to handle production and
sandbox requests separately.
(https://docs.wso2.com/display/AM260/Maintaining+Separate+Production+and+San
dbox+Gateways)
Key Manager

Used by the API Gateway to handle

security and access tokens (Internal
or External Key Manager)

The Key Manager manages all clients, security and access token-related operations.
The Gateway connects with the Key Manager to check the validity of OAuth tokens,
subscriptions and API invocations. When a subscriber creates an application and
generates an access token to the application using the API Store, the Store makes a
call to the API Gateway, which in turn connects with the Key Manager to create an
OAuth client and obtain an access token. Similarly, to validate a token, the API
Gateway calls the Key Manager, which fetches and validates the token details from
the database.
Key Manager
Get token from Key Manager
Client Application Key Manager
1

Send token
2 in API
Validate
request 3 token

Gateway

Backend Service
4

Send request to back-end if

token is valid

The Key Manager manages all clients, security and access token-related operations.
The Gateway connects with the Key Manager to check the validity of OAuth tokens,
subscriptions and API invocations. When a subscriber creates an application and
generates an access token to the application using the API Store, the Store makes a
call to the API Gateway, which in turn connects with the Key Manager to create an
OAuth client and obtain an access token. Similarly, to validate a token, the API
Gateway calls the Key Manager, which fetches and validates the token details from
the database.
Traffic Manager

Keeps a count of API requests

flowing through the API gateways
against various policies and ensures
the rate limits (quotas) are met.
Traffic Manager
Gateway checks if a request is
beyond quota before sending it
Client Application Gateway off to the back-end

Backend Service

Notify upon Send events to

reaching limits TM
asynchronously
Traffic Manager
Analytics

Analyses API requests for statistical

reporting and abnormality detection
Analytics

Client Application Gateway

Backend Service

Send events to
Analytics
Summarize API asynchronously
data for reporting API Analytics
Common User Roles

Admin

Creator Publisher

Subscriber

These user roles are common and standard in a typical enterprise setting. But they
are not mandatory. Users can change them according to their unique requirements.

- Admin: hosts and manages the server/s

- Creator: technical role that develops APIs
- Publisher: management role that publishes APIs, controls API lifecycle,
monetization etc.
- Subscriber: App developers who consume APIs

Each role has different levels of permission

The subscriber role is already available in APIM by default.

 Let’s try it out!

Getting Started with WSO2 API Manager

Defining Users and Roles